The European Commission has proposed a new package of legal cybersecurity and protection measures in different areas, focused on strengthening the resilience and capabilities of the EU in digital security in the face of the growing number and variety of threats. The package includes a proposal to review the current Cybersecurity Law, in order to improve the security of EU information and communication technology supply chains.
This package therefore seeks, among other things, to guarantee that products reaching EU citizens are “cybersecure” by design, for which the European Commission wants to implement a simpler certification process. Furthermore, the proposed package also facilitates compliance with current EU cybersecurity standards and strengthens the EU Agency for Cybersecurity, ENISA, in its support to member countries and the EU itself in managing cybersecurity threats.
One of the most notable points of this new law, and also the most controversial in relation to certain third countries and companies based there, is the reduction of risks in the EU ICT supply chain from third country suppliers with cybersecurity problems. To achieve this, a reliable security framework for the ICT supply chain will be established based on a harmonized, proportionate and risk-based approach.
This will allow the EU and member countries to jointly identify and mitigate risks in the EU’s 18 critical sectors, taking into account economic impacts and market supply. In this sense, the European Commission points out that in the current geopolitical landscape, supply chain security is no longer limited to the technical security of products or services, but also encompasses risks related to suppliers. Specifically, foreign dependencies and interference.
With the proposed Cybersecurity Law, in fact, the risks of European mobile telecommunications networks against high-risk third-country providers can be compulsorily reduced, based on the work already carried out in the context of the 5G security toolkit. The text does not give names of countries or companies, but according to Reuters, everything indicates that it is designed for China and companies like Huawei or ZTE.
What does this imply? That The EU wants to gradually eliminate components and equipment from high-risk suppliers in 18 sectors that he considers critical. In addition to the aforementioned telecommunications, the measures would apply to 17 other key sectors, such as detection equipment, connected and automated vehicles, electricity supply and storage systems, water supply systems, drones and anti-drone systems, cloud services, medical devices, surveillance equipment, space services and semiconductors.
China, possibly affected by the reforms of the European Commission
The text does not give names of countries or companies, but according to Reuters, everything indicates that it is designed for China and companies like Huawei or ZTE. And under the proposal, mobile operators will have 36 months from the publication of the list of high-risk suppliers to remove key components from their networks. Retirement deadlines for fixed networks, including fiber optic and submarine cables, as well as satellite networks, will be announced later.
Of course, restrictions on suppliers from countries considered a cybersecurity risk would only come into force after a formal risk evolution opened by the European Commission, or at least by three EU countries. Any measures taken in this case would be based on market analysis and impact assessments.
Telecoms lobby group Connect Europe does not agree with this measure, having warned that the proposals will increase the burden on the sector, with additional regulatory costs totaling billions of euros. Of course, it will still take some time until the law can come into force. The European Commission will still have to negotiate the text of the new measures with EU governments and the European Parliament, a process that will take several months.
On the other hand, the revised Cybersecurity Law will ensure that products and services reaching EU consumers are security tested more efficiently. This will be done through a European Cybersecurity Certification Framework renewed. This framework will provide greater clarity and simpler procedures, allowing certification systems to be put in place within 12 months by default. Additionally, it will enable more agile and transparent governance to better engage stakeholders through public information and consultation.
ENISA’s role in the EU cybersecurity of the future
The certification systems, managed by ENISA, will be a practical, but voluntary, tool for companies. They will allow them to demonstrate compliance with EU laws, as well as certify their cyber posture to meet renewed needs.
The package will also include measures to simplify compliance with EU cybersecurity rules and risk management requirements for companies operating in the EU, complementing the single point of entry for incident reporting proposed in the Digital Omnibus.
Regarding the changes proposed specifically for the NIS2 Directive, they aim to increase legal clarity and thus facilitate compliance for companies of all sizes. In addition, it will include a new category of small mid-cap companies to reduce compliance costs for several thousand of them. In parallel, the changes will simplify jurisdictional rules, speed up the collection of data on ransomware attacks and facilitate the supervision of cross-border entities by strengthening ENISA’s coordination function.
This organization will continue to support companies and stakeholders operating in the EU by issuing early warnings on cyber threats and incidents. In cooperation with Europol and cybersecurity incident response teams, it will help companies respond to and recover from ransomware attacks, and develop an EU approach to offer better vulnerability management services.
In addition, ENISA will be responsible for managing the single entry point for incident notification proposed in the Digital Omnibus. Furthermore, it will launch the Cybersecurity Skills Academy, and establish cybersecurity skills certification systems at EU level.
